vmware.vapi.security package¶

Subpackages¶

vmware.vapi.security.client package
- Submodules
- vmware.vapi.security.client.security_context_filter module

Submodules¶

vmware.vapi.security.session module¶

Session Security Helper

class vmware.vapi.security.session.SessionSecurityContextParser¶

Bases: vmware.vapi.security.rest.SecurityContextParser

Security context parser used by the REST presentation layer that builds a security context if the REST request has session identifier either in the header or in the cookie.

build(request)¶

Build the security context if the request has the header that contains the session identifier or a cookie that has the session identifier.

The method will first check for session identifier in the cookie, if it is not present, then it will check in the HTTP headers. The session security context is created based on the first session identifier it finds.

Parameters:	request (`werkzeug.wrappers.Request`) – Request object
Return type:	`vmware.vapi.core.SecurityContext` or `None`
Returns:	Security context object

vmware.vapi.security.session.create_session_security_context(session_id)¶

Create a security context for Session Id based authentication scheme

Parameters:	session_id (`str`) – Session ID
Return type:	`vmware.vapi.core.SecurityContext`
Returns:	Newly created security context

vmware.vapi.security.sso module¶

SSO Security Helper

class vmware.vapi.security.sso.JSONCanonicalEncoder(skipkeys=False, ensure_ascii=True, check_circular=True, allow_nan=True, sort_keys=False, indent=None, separators=None, default=None)¶

Bases: json.encoder.JSONEncoder

Custom JSON Encoder class to canonicalize dictionary and list objects

encode(o)¶

Encode a given python object

Parameters:	o (`object`) – Python object
Return type:	`str`
Returns:	JSON string in canonicalized form

class vmware.vapi.security.sso.JSONCanonicalizer¶

Bases: object

This class is responsible for transforming JSON messages into their canonical representation.

The canonical form is defined by the following rules:

Non-significant(1) whitespace characters MUST NOT be used
Non-significant(1) line endings MUST NOT be used
Entries (set of name/value pairs) in JSON objects MUST be sorted lexicographically(2) by their names based on UCS codepoint values
Arrays MUST preserve their initial ordering

Link to the IEFT proposal: https://datatracker.ietf.org/doc/draft-staykov-hu-json-canonical-form/

static canonicalize()¶

Canonicalize the input message

Parameters:	input_message (`str`) – Input message
Return type:	`str`
Returns:	Canonicalized message

static canonicalize_py_obj()¶

Canonicalize the input python object

Parameters:	input_message (`object`) – Input python object
Return type:	`str`
Returns:	Canonicalized message

class vmware.vapi.security.sso.JSONSSOSigner¶

Bases: vmware.vapi.protocol.common.lib.RequestProcessor

This class is used for signing JSON request messages

process(input_message)¶

Sign the input JSON request message.

The message is signed using user’s private key. The digest and saml token is then added to the security context block of the execution context. A timestamp is also added to guard against replay attacks

Sample input security context: {

‘schemeId’: ‘SAML_TOKEN’, ‘privateKey’: <PRIVATE_KEY>, ‘samlToken’: <SAML_TOKEN>, ‘signatureAlgorithm’: <ALGORITHM>,

}

Security context block before signing: {

‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘timestamp’: {

‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,

}

}

Security context block after signing: {

‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘signature’: {

‘samlToken’: <SAML_TOKEN>, ‘value’: <DIGEST>

} ‘timestamp’: {

‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,

}

}

class vmware.vapi.security.sso.JSONSSOVerifier¶

Bases: vmware.vapi.protocol.common.lib.RequestProcessor

This class is used to verify the authenticity of the request message by verifying the digest present in the security context block.

process(input_message)¶

Verify the input JSON message.

For verification, we need 4 things:

algorithm: extracted from security context

2. certificate: public key of the principal embedded in the SAML token is used 3. digest: value field from signature block 4. canonical msg: signature block is removed from the request and the remaining part is canonicalized

Sample input security context: {

‘schemeId’: ‘SAML_TOKEN’, ‘signatureAlgorithm’: <ALGORITHM>, ‘signature’: {

‘samlToken’: <SAML_TOKEN>, ‘value’: <DIGEST>

} ‘timestamp’: {

‘created’: ‘2012-10-26T12:24:18.941Z’, ‘expires’: ‘2012-10-26T12:44:18.941Z’,

}

}

Parameters:	input_message (`str`) – Input JSON request message
Return type:	`str`
Returns:	JSON request message after signature verification

vmware.vapi.security.sso.create_saml_bearer_security_context(token)¶

Create a security context for SAML bearer token based authentication scheme

Parameters:	token (`str`) – SAML Token

vmware.vapi.security.sso.create_saml_security_context(token, private_key)¶

Create a security context for SAML token based authentication scheme

Parameters:	token (`str`) – SAML Token private_key (`str`) – Absolute file path of the private key of the user
Return type:	`vmware.vapi.core.SecurityContext`
Returns:	Newly created security context

vmware.vapi.security.user_password module¶

User password Security Helper

class vmware.vapi.security.user_password.UserPasswordSecurityContextParser¶

Bases: vmware.vapi.security.rest.SecurityContextParser

Security context parser used by the REST presentation layer that builds a security context if the REST request has username/password credentials in the HTTP header.

build(request)¶

Build the security context if the request has authorization header that contains base64 encoded string of username/password.

If the request authorization header doesn’t have the username/password, this method returns None.

Parameters:	request (`werkzeug.wrappers.Request`) – Request object
Return type:	`vmware.vapi.core.SecurityContext` or `None`
Returns:	Security context object

vmware.vapi.security.user_password.create_user_password_security_context(user_name, password)¶

Create a security context for Username-Password based authentication scheme

Parameters:	user_name (`str`) – Name of the user password (`str`) – Password of the user
Return type:	`vmware.vapi.core.SecurityContext`
Returns:	Newly created security context